Maybe we should just give up trying to maintain secure enterprise networks; it’s just too hard.
When we surveyed practitioners, 71% of respondents admitted that their networks are exposed to external threats due to misconfiguration issues in their security device infrastructure. Verizon reports that 79% of organizations fail to maintain PCI compliance from their prior year’s assessment. More than 50 percent told us they had no idea how many of their organizations’ internal hosts were exposed to the Internet.
We know that even in this era of constrained budgets, enterprises are spending more on network security—and yet 75% of network and security pros agree that the advantage is still on the side of the attacker. Verizon reposts that security “erosion” over the course of the year between PCI audits is the norm with most enterprises, despite the fact that we know there’s a correlation between slippage and data breaches.
Maybe it’s time to re-evaluate our priorities. As our CTO Dr. Mike points out, there’s a general consensus to focus on the core controls. If you’re already covering 90% of the basics, security pros agree it’s more wise to push for 100% versus expand the number of controls.
But if you’re focused on the core controls, how do you know what percentage level you’re at, and where the areas of exposure are? That’s where security metrics come in.
In this case, we’re referring to actionable security metrics — those that provide proactive security intelligence, a direct incentive to act. Many metrics available to security pros: number of patches; number of vulnerabilities; and the number of firewall and router config changes, are without context, or simply measure worker hours. They don’t characterize risk in a meaningful way, nor do they point towards a specific resolution.
Hitting The Books
In his seminal tome Security Metrics: Replacing Fear, Uncertainty and Doubt, Andrew Jaquith describes the value of security metrics by referencing other business disciplines. For example, freight companies know their freight cost per mile and loading factors , and those of their competitors. Management can set objectives and measure themselves against comparable companies. Choosing to be above, on, or below an industry average is a question of strategy as well as operational efficiency. For example, a freight company may be willing to have a lower load factor than its peers if that’s the tradeoff required to offer faster delivery times (for which it presumably charges a premium).
Similarly, warehousing firms measure and compare their cost/square foot and inventory turns, and e-commerce companies measure site conversion rates. Financial metrics have established for many years. Companies can therefore compare relevant metrics to those of their peers in order to evaluate internal performance.
Could such a use of metrics apply to security? Yes, but only if consistently generated within the context of a security framework.
Building Blocks
The three pillars of security, as we see it here, are visualize, comply and protect. Logically then, if we build a framework on those pillars we’ll be able to generate meaningful security metrics.
Visualize: There is wisdom in Requirement 1 of the PCI DSS, in the section entitled “Build and Maintain a Secure Network”: the requirement is to create a network diagram, and keep it current. Why? You can’t secure what you can’t see. And yet, according to Verizon Requirement 1 has the second-highest erosion factor out of the nine requirements not specific to planning and checking. When security pros can visualize the network topology—including groups that clearly identify zones (such as DMZ) and untrusted sources—they become much more effective in creating effective segmentation strategies and policies, and maintaining compliance.
Comply: Compliance refers to PCI, FINRA, FFIEC, SOX and other regulatory frameworks, of course, but also internal policies, and best practices from sources such as SANS’ 20 Critical Security Controls, Version 3.0. However, complying with regulatory and internal policies in most cases is open loop; we perform security measures in an effort to comply, but other than regulatory audits we’re mostly in the dark as to how effective our security controls remain over time. We need move from open loop security to closed loop, with feedback controls that allow us to make continuous adjustments to thwart erosion.
Protect: The fundamental security question is whether the network is protected. How can we know what’s working, and where additional focus is required? By developing a security framework that provides security metrics — feedback controls, from which effective remediation for erosion can be devised. Security metrics enable enterprise to answer questions such as:
1. What’s my overall risk; how does it compare to yesterday, last week, last month and last year?
2. How easily can attackers get in?
3. How big is my attack surface?
4. How much of my infrastructure is undocumented?
5. Are investments and actions paying off?
6. Where do we need to improve?
7. Are we ready for our next audit?
Note that the questions above relate to actual network security, unlike, say, how many hosts were patched in the last month (time check) or how many vulnerabilities are being scanned (no context).
Comparing Models
Are these good security metrics? Let’s look at Andrew Jacquith’s definition :
1. Consistently – measured, without subjective criteria;
2. Cheap – to gather, preferably in an automated way;
3. Expressed – as a cardinal number or percentage, not high, medium and low;
4. Expressed – using at least one unit of measure, such as “number of hosts directly exposed”; and
5. Contextually – specific—relevant enough so someone can read it and take action.
The security metrics provided in RedSeal 5 satisfy all of Jacquith’s criteria for good metrics, empowering our customers to continuously monitor their network through a closed loop process and therefore address problem areas—and in doing so protect their organization’s network.
Behold, security metrics that actually work.
